Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-28: (with DISCUSS and COMMENT) [COMMENTS]

2019-10-22 Thread Michael Richardson
registrar's authorization > process. The % intended registrar would need to require reports on > voucher processing % status (or investigate their absence) in order to > detect such a case. > but I can't remember if we decided that we didn't need to discuss the >

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-28: (with DISCUSS and COMMENT) [NITS]

2019-10-22 Thread Michael Richardson
hardly be doc> surprised if additional purchases switching/routing products are doc> purchased. Deviations from a historical trend or an establish > nit: we probably only need one of "purchases" and "purchased". agreed. > Sec

[Anima] which base64 for RFC8366... original!

2019-10-22 Thread Michael Richardson
FC8366? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails[ -- Michael Richardson , Sandelman Software Works -= IPv6 IoT

Re: [Anima] Roman Danyliw's Discuss on draft-ietf-anima-bootstrapping-keyinfra-28: (with DISCUSS and COMMENT)

2019-10-17 Thread Michael Richardson
> challenging. I have proposed a BOF/WG to deal with Lifecycle Security issues in IoT devices to Ignas. A number of people believe that it would attempt to boil the ocean. I think that with proactive charing and diligent work that we can make progress. I did a talk today at RIPE79 about the quarant

Re: [Anima] Alvaro Retana's No Objection on draft-ietf-anima-bootstrapping-keyinfra-28: (with COMMENT)

2019-10-17 Thread Michael Richardson
lNumber MUST be there. If that is alvaro> what you meant from the start, then I’m ok with it. :-) So you prefer the reworded text, and I will use that in -29. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature _

Re: [Anima] Alvaro Retana's No Objection on draft-ietf-anima-bootstrapping-keyinfra-28: (with COMMENT)

2019-10-16 Thread Michael Richardson
https://tinyurl.com/y5l4xz3z YANG doctor comments to come for -29, sometime after the RIPE IOT session tomorrow. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca

Re: [Anima] Alissa Cooper's No Objection on draft-ietf-anima-bootstrapping-keyinfra-28: (with COMMENT)

2019-10-16 Thread Michael Richardson
dly be surprised if additional purchases switching/routing products are purchased. Deviations from a historical trend or an establish baseline would, however, be notable. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardso

Re: [Anima] Alexey Melnikov's No Objection on draft-ietf-anima-bootstrapping-keyinfra-28: (with COMMENT)

2019-10-16 Thread Michael Richardson
ed to be specified: > a) which of CN-ID/DNS-ID/URI-ID/SRV-ID are allowed > b) are wildcards allowed in any of these? I've added text:n The use of a DNS-ID for validation is appropriate, and it may include wildcard compnents on the left-mode side. {i.e. what browser

Re: [Anima] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28

2019-10-16 Thread Michael Richardson
On 2019-10-13 4:39 a.m., Dan Romascanu via Datatracker wrote: Reviewer: Dan Romascanu Review result: Ready with Issues I am the assigned Gen-ART reviewer for this draft. The General Area Thank you for this. I will the majority of your issues with a -29 that I'll post this week. Given that

Re: [Anima] Alissa Cooper's Discuss on draft-ietf-anima-bootstrapping-keyinfra-28: (with DISCUSS and COMMENT)

2019-10-16 Thread Michael Richardson
> YANG issues raised by Tom Petch need fixing. Is there a plan to get either of > those done? I'm working on those fixes today. Also at RIPE79, and have two more conference calls, so I don't think I'll get it done before your call tomorrow, but it could happen :-) -- Mic

Re: [Anima] Last Call: (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard

2019-10-15 Thread Michael Richardson
Thank you Tom, I'll try to fix the issues you found this week. ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28

2019-10-14 Thread Michael Richardson
Esko Dijk wrote: > Besides the minor issues mentioned in the Gen-ART review, there also > still a couple of open issues in the tracker > https://github.com/anima-wg/anima-bootstrap/issues Shouldn't these be > resolved also? Or is it already planned to do that later? Rejection of

Re: [Anima] Call for agenda ANIMA @ IETF 106, Singapore [ASAs]

2019-10-12 Thread Michael Richardson
in this area. +1 I think that we need to spend some high-level time discussing what happens next, now that we have completed the ACP work (ACP, BRSKI, architecture) {Our AD tells me that BRSKI will return to the IESG at a call very soon} -- Michael Richardson , Sandelman Software Works

Re: [Anima] Call for agenda ANIMA @ IETF 106, Singapore [draft-carpenter-anima-l2acp-scenarios]

2019-10-12 Thread Michael Richardson
Brian E Carpenter wrote: > We recently posted draft-carpenter-anima-l2acp-scenarios-01 following > the discussion at IETF 105. > We'd like to briefly present the updates and get WG opinions whether > this work should be adopted. Can we find some MACsec expertise?

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-09-19 Thread Michael Richardson
Adam, Alexey, version -28 of the document contains a CDDL definiton for the audit-log response. https://www.ietf.org/rfcdiff?url1=draft-ietf-anima-bootstrapping-keyinfra-27=draft-ietf-anima-bootstrapping-keyinfra-28 I hope that I'm done now! -- Michael Richardson , Sandelman Software Works

Re: [Anima] Éric Vyncke's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-09-16 Thread Michael Richardson
CUSS I have included the following text in the two places we specify TLS: Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is REQUIRED. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: P

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-09-16 Thread Michael Richardson
e registrar performs log verifications in addition to local >> > authorization checks before accepting optional pledge device >> > enrollment requests. >> >> > Maybe give us a section reference to what the "log validations" are? >> &

Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-26: (with DISCUSS and COMMENT)

2019-09-16 Thread Michael Richardson
sionally, or via the /cacerts EST method. The pledge would contain the logic to connect, and would know what name to use, and would know how to validate it. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-09-16 Thread Michael Richardson
serial console. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails[ -- Michael Richardson

Re: [Anima] Questions raised during IETF 105 regarding BRSKI-AE

2019-08-23 Thread Michael Richardson
ofile of CMP, maybe that would suit you better for these disconnected uses rather than fullcmc. Regardless, how would one discover and signal the use of fullcmc or CMP? -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-18 Thread Michael Richardson
rmative to me. (I will confess I've rather lost track of exactly why > we're debating if this is normative or not; I guess it's just the > disclaimer in Section 7 about "considered non-normative in the generality > of the protocol".) Yes, it's MUST do one of X,Y

Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-18 Thread Michael Richardson
registrar (equivalent to EST server) are: o Client authentication is automated using Initial Device Identity (IDevID) as per the EST certificate based client authentication. The subject field's DN encoding MUST include the "serialNumber" | attribute with the device's

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-15 Thread Michael Richardson
e addition to the ACP applicability stating the above be >> useful? > Oh sure, the link-local IPv6 of the proto-ACP would be a great way to > show locality. Please do add some text regarding the ACP > applicability. Added after -26. -- ] Never tell me th

Re: [Anima] {FINAL} Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-15 Thread Michael Richardson
] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature __

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-15 Thread Michael Richardson
ust-anchor (the manufacturer's CA), then a compromise of the manufacturer's CA would compromise both keys. Such a compromise of the manufacturer's CA likely compromises all keys outlined in this section. -- Michae

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-15 Thread Michael Richardson
a fair concern, but in and of itself is not an excuse to skip > reasoning through the risks of the parallel workflow. How much effort > has already been spent doing that reasoning through? For example, one > might want to require that the pledge track which nonce belongs to the >

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-15 Thread Michael Richardson
an LDevID certificate) from having vouchers issued against them. Other cases of inappropriate voucher issuance are detected by examination of the audit log. -- ] Never tell me the odds! | ipv6

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-15 Thread Michael Richardson
his model supports the <4h SLA on service repair that most vendors have, and which they support by stocking spares in the local city, but not for a specific customer. I see that I've answered the rest already. The perils of all these CCs. -- ] Never tell me the odds!

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-14 Thread Michael Richardson
plicability stating the above be useful? >> But, that's why we have SHOULD, and the SHOULD (vs MUST) part was really to >> allow for some fancy HTTP/3 we know nothing about :-) > :) > Do we still want to say "HTTP 1.1 persistent connections" vs. "

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-14 Thread Michael Richardson
te >> the EST TLS session using the newly obtained credentials. This >> - occurs by the client initiating a new TLS ClientHello message on the >> - existing TLS connection. The client MAY simply close the old TLS >> - session and s

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-14 Thread Michael Richardson
https://tinyurl.com/y2skc9xz Michael Richardson wrote: >> o The subject-alt field's encoding MAY include a non-critical >> version of the RFC4108 defined HardwareModuleName. (from [IDevID] >> section 7.2.9) If the IDevID is stored in a Trusted Platform

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-14 Thread Michael Richardson
s the Registrar End-Entity Certificate, when in fact it is the Registrar's CA certificate. As a CA certificate, it SHOULD always have the SubjectKeyIdentifier. We are presenting discussing whether the EE Registrar cert should get audited. -- Michael Richardson , Sandelman Software Works -= I

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-13 Thread Michael Richardson
tion such that it uses the >> SubjectKeyIdentifier, if present. That can be any algorithm that the CA >> wants to use to identify the Entity certificate. We need to have a >> consistently calculated value if it's not present, and RFC5280 says SHA-1. >>

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-13 Thread Michael Richardson
+ the URL to the prepared (and idempotent, therefore cachable) audit + response in the Location: header. Does this fix things for you? -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-12 Thread Michael Richardson
eems a tad generic. Renamed already. Ben, I'm posting the -25, and then moving on back to the responses to my responses, including Adam's concerns. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-12 Thread Michael Richardson
onceless vouchers, then they could issue vouchers for devices which are not yet in service. This attack may be very hard to verify and as it would involve doing firmware updates on every device in warehouses (a potentially ruinously expensive process), a manufacturer might be reluctant t

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-12 Thread Michael Richardson
turer's trust anchor for the first time, and then doc> the trust anchor would be installed to the trusted store. There are doc> risks with this; even if the key to name is validated using something doc> like the WebPKI, there remains the possibility > nit

Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

2019-08-12 Thread Michael Richardson
Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature ___

Re: [Anima] [Iot-onboarding] EXTERNAL: Re: OPC and BRSKI

2019-08-12 Thread Michael Richardson
step. Subsequent sales just extend the chain. We didn't go this way because: 1) it mandates sales channel integration, and we think that this will be rare at the beginning. 2) any party in the chain can issue a new sale certificate, effectively stealing the device from the current

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-11 Thread Michael Richardson
was once owned by Registrar A (but sold), then there is a hole that would permit Registrar A to ask for history. But this is legitimate, because perhaps it wasn't actually sold, but in fact stolen, and when they can't get the device to respond, the operator could ask if the device

[Anima] Change of authors for draft-ietf-anima-bootstrapping-keyinfra

2019-08-10 Thread Michael Richardson
into a regular contributor. As he was also the document shepherd, we had a conversation with our AD about the appropriateness of this change, and got approval. The WG, of course, may have other opinions, as it is the WG's document, and people should not feel shy this. -- Michael Richardson

Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

2019-08-10 Thread Michael Richardson
LS or extend our own model > with something like BRSKI but not BRSKI? > While I cannot predict how the various participants in the OPC WGs will > respond to question 3), I do know it would make collaboration a lot > easier if the answer to 2) was yes. I think yes

Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

2019-08-10 Thread Michael Richardson
r in August. Awesome. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails[ -- Michael Richardson ,

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-09 Thread Michael Richardson
de by the > certificate must be validated, and that the received certificate and > chain must be retained for later validation. Added: The signatures in the certificate MUST be validated even if a signing key can not (yet) be validated. The certifi

Re: [Anima] What does PKIX refer to: Re: Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-09 Thread Michael Richardson
Michael Richardson wrote: > I hoping for some discussion about this comment that I previously > responded to, but it probably got buried. Actually, you did respond on July 20, in an email that I thought to re-read after pushing send. In it you said: mcr> I would n

[Anima] What does PKIX refer to: Re: Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-09 Thread Michael Richardson
3 useful. (I try never to use "X509", because the ITU left us with an unuseable mess, and I don't think they deserve any credit) -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature __

Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

2019-08-09 Thread Michael Richardson
RSKI document has been dealing with in its IESG review. If we can't change the trust anchors used to verify the voucher, then how can the device be onboarded after the MASA has gone away? I don't understand how RFC8572 slipped through the IESG without resolving this. -- Michael Richardson , Sandel

Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

2019-08-08 Thread Michael Richardson
draft-ietf-netconf-trust-anchors) can be used > by a controller/NMS application to configure/set/push trust-anchor > certs used, e.g., to verify a remote server's end-entity certificate. But, more interestingly, it can be used to update the trust anchors, to enable a resale/transfer of ownership! -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] [Iot-onboarding] OPC and BRSKI

2019-08-08 Thread Michael Richardson
Device proves it has possession of the Device > private key. > That said, the KeyPair used for communication does not need to be the > same as the KeyPair used to authenticate. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.

Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

2019-08-07 Thread Michael Richardson
I totally see how it gets initial configuration though. I also see how that initial configuration can be caused to do an enrollment, by leveraging some specific, vendor-specific, configuration command. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc De

Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

2019-08-07 Thread Michael Richardson
ft-ietf-netconf-keystore is that it would provided for Registrar initiated (PUSH) updating of device certificates, but would not provide a way for a device to initiate (PULL) to a securely identified EST server. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signat

Re: [Anima] [Iot-onboarding] OPC and BRSKI

2019-08-07 Thread Michael Richardson
a DC, or adjacent distillation tower in a refiner), to use the device in my suite/cabinet/tower. The key problem is the verb "has" needs to be made very clear. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.as

Re: [Anima] [Iot-onboarding] OPC and BRSKI

2019-08-07 Thread Michael Richardson
to be profiled. RFC8572 uses CMS signed JSON for vouchers, and for some configuration assertions, and while RESTCONF is an option, it's not the only option. I have downloaded the OPC documents, and I'll skim them tomorrow. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consult

Re: [Anima] comments on draft-ietf-anima-grasp-api

2019-08-07 Thread Michael Richardson
Brian E Carpenter wrote: > On 07-Aug-19 05:24, Michael Richardson wrote: >> >> I read draft-ietf-anima-grasp-api from the expired drafts list. > Right, the -03 draft expired while we were in Montreal. Our plan is to > make the next update after the

[Anima] comments on draft-ietf-anima-grasp-api

2019-08-06 Thread Michael Richardson
ent. nits: 2.3.1.3: s/neg/negotiate/ I found the "NEG" term in GRASP confusing, because it seems like NEGative, rather then NEGotiate. I'd prefer it was spelt out in the API. s/dry/dryrun/ -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =-

Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

2019-08-06 Thread Michael Richardson
Kent Watsen wrote: > Skimming quickly, I see now the direction to go to a cloud registrar to > be redirected to a local registrar. I feel compelled to point out that > this is exactly what SZTP (RFC 8572) does, or at least, supports. > Actually, as a more general statement, it

Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009

2019-07-30 Thread Michael Richardson
Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature ___

Re: [Anima] MACsec as an alternative to L3-tunnels

2019-07-29 Thread Michael Richardson
t; routing protocol and aliveness parameters of ACP/data-plane. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] [core] SID files and IANA

2019-07-29 Thread Michael Richardson
;> for the mega range that you have mentioned). That being said, I want >> to be sure that the SID draft will not be delayed in case that draft >> is delayed for any reason, so maybe we will need to discuss. Michael Richardson wrote: > I have opened a github issue against th

Re: [Anima] MACsec as an alternative to L3-tunnels

2019-07-26 Thread Michael Richardson
this is where i have not tried to validate), > that MacSec should equally be able to utilize multiple keypairs, > probably mapped by VLAN or ethertype. But the question of course is > whether you want/can expect that MACsec MIC chips have that feature. The people in the line behind

[Anima] MACsec as an alternative to L3-tunnels

2019-07-24 Thread Michael Richardson
h networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature ___ Anima mailing list Anima@ietf

Re: [Anima] Clarification reg old reference in the BRSKI draft to IEEE 802_1AR-2009

2019-07-23 Thread Michael Richardson
rather we found SHOULD: Yes, but we are saying that *WE* require it. > Here it says: An IDevID certificate subject field shall be non-null and > should include a unique device serial number. -- ] Never tell me the odds! | ipv6 mesh networks [

Re: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-24.txt

2019-07-22 Thread Michael Richardson
/rfcdiff?url2=draft-ietf-anima-bootstrapping-keyinfra-24 There are still two significant bits of DISCUSS that I have yet to deal with. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect

Re: [Anima] addressing Content-Type-Encoding errata on EST / RFC7030 --- relationship to BRSKI

2019-07-21 Thread Michael Richardson
Carsten Bormann wrote: > On Jul 17, 2019, at 19:10, Michael Richardson > wrote: >> >> always base64 the payloads > Which means that the content-type headers lie. Backwards > combyativbility [actual autocorrect result :-)] can be nasty. But

Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-18 Thread Michael Richardson
rsonally > prefer a new registry, but I understand that it might be a bit more > work in the document. I prefer Updates: 7030. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature

Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-18 Thread Michael Richardson
can also be - used for matching purposes. As noted in that document this is not -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-17 Thread Michael Richardson
s applied. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP

Re: [Anima] addressing Content-Type-Encoding errata on EST / RFC7030 --- relationship to BRSKI

2019-07-17 Thread Michael Richardson
Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature ___

Re: [Anima] Mirja Kühlewind's No Objection on draft-ietf-anima-bootstrapping-keyinfra-22: (with COMMENT)

2019-07-17 Thread Michael Richardson
ssed in the > doc. However, this is a usual safety measure we are building in all > protocols (expect there is a good reason to do otherwise), e.g. also > for routing protocols, because you never know for sure how future > deployment scenarios will look like. I have

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
quot;ietf-mud-extens...@2018-02-14.yang" > is, but it seems a tad generic. I changed ietf-mud-extension to ietf-mud-brski-masaurl-extension. > Appendix D > [Just checking that Michael wants sandelman.ca embedded in the final > RFC] I don't have a problem with it. There

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
Eliot Lear wrote: >> On 13 Jul 2019, at 17:10, Michael Richardson >> wrote: >> >> Signed PGP part >> >> Eliot Lear wrote: >>> I think the simplest way to address the bulk of both Adam’s and >>> Warren’s

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
a process that can be outsourced, and that customers will insist that it is escowed. 25 years ago, when I worked in one of the first firewall companies, dead 20 years now, I regularly provided escrow tapes. It's almost never worth the customers' money to use them, but I'm sure someone has used them. -

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
it has to work. And putting the onus for that > on the original vendor does NOT seem an effective solution. As long as vendors support blue cables, and are willing to provide firmware updates, I don't see any change. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Mich

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
se case is the domain of TR-069. I don't know what DSL providers do, some have service PPPoE username/password that they use. Let other use cases write different requirements for access. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson,

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
specific quality (e.g., idempotence), > say so explicitly. I have removed the two occurences of "RESTful", and in the place where we use 201-Created w/Location:, I mentioned that it is the idempotency that is probably important. -- ] Never tell me the odds!

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
ferences from IRI to URL, and the components from iauthority to 'authority'. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rai

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
from the point after the voucher is validated. This process SHOULD include server certificate verification using an on-screen fingerprint. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works

Re: [Anima] Alissa Cooper's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
that this belongs at the end of 1.0, just prior to 1.1? -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-16 Thread Michael Richardson
trust anchor since serial numbers are not globally unique. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] Mirja Kühlewind's No Objection on draft-ietf-anima-bootstrapping-keyinfra-22: (with COMMENT)

2019-07-16 Thread Michael Richardson
y of sending MUST be such that the aggregate amount of periodic M_FLOODs from all flooding sources cause only negligible traffic across the ACP. I will copy this text. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works

[Anima] ACP SRV.est example

2019-07-16 Thread Michael Richardson
TCP, 80] ] Figure 3: GRASP SRV.est example -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailma

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-14 Thread Michael Richardson
is being sold is because the sellor went into bankruptcy. There is no sellor Registrar to invoke this API. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Anima mailing l

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-14 Thread Michael Richardson
r had a record of all previous ones, going back to the original MASA issue voucher. I had originally considered this to be the right way to do resale, but many others thought it too complex. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-14 Thread Michael Richardson
define such an artifact in a timely fashion, nor do I know which WG we'd do it in. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/|

Re: [Anima] a note on the rfcdiff for draft-ietf-anima-bootstrapping-keyinfra-22 DISCUSSes

2019-07-13 Thread Michael Richardson
from the various DISCUSSes: https://tinyurl.com/y2qhjwh8 This does not suffer from being very very wide. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman

[Anima] a note on the rfcdiff for draft-ietf-anima-bootstrapping-keyinfra-22 DISCUSSes

2019-07-13 Thread Michael Richardson
to scroll. I may post a -23 version with a fix for ONLY the wide JSON, so that a diff against -24 is more understandable. I can't do that until 22nd, but perhaps I'll stage it elsewhere until then. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting

Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-13 Thread Michael Richardson
> I think you want to use lower case "should" here. Agreed. > In 5.7 (and a similar issue elsewhere): >{ "version":"1", "Status":FALSE /* TRUE=Success, FALSE=Fail" > This is not valid JSON, this is not even valid pseudo-JSON. Please move > the comment: Already fixed, please see changes at: https://tinyurl.com/y2ex324x -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] Magnus Westerlund's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS)

2019-07-13 Thread Michael Richardson
6 that has been obsolete by RFC 7230 and > companions. I do note that there are no normative reference for that > part in this document. Fixed to 7230. Yes, that wasn't even a real reference, just a literal [RFC2616]. -- ] Never tell me the odds! | ipv6 mesh networks [ ]

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-12 Thread Michael Richardson
> You almost certainly don't want the service name to contain a leading > underscore. That is added as part of the DNS-SD resolution process, but > not part of the service name itself. fixed. > --- > Appendix B: >> For example, if the first >> Multicast DNS _bootstrapks._tcp.local response doesn't work then the >> second and third responses are tried. > I got a little lost here. Where is the "bootstrapks" service defined? > I don't see it defined in this document or registered at > https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=bootstrapks Toerless, can you help here? I think that we renamed this. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-11 Thread Michael Richardson
trying to target. I guess we also latched onto section 7.1.2 ("Location") Can you point me to another document that tries to specify the same thing. If we shouldn't say we are trying to be RESTful, what should we say? -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- ___ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-11 Thread Michael Richardson
was, and we then agreed that there were sometimes reasons to include the the entire URL, but that less is better. We then looked for what the term for the "hostname:port" part was, and found 3986 and 3987. -- ] Never tell me the odds! | ipv6 mesh networks [ ] M

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-11 Thread Michael Richardson
should solve, and for having not solved the problem that the WG charter said was out-of-scope. I'm curious if anyone has read Verner Vinge's Rainbow's End. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature

Re: [Anima] Alissa Cooper's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-10 Thread Michael Richardson
represent some kind of change in business plans. Would a PC vendor be interested if some Enterprise customer suddenly bought only tablets? The BRSKI-MASA connection does not reveal what is bought, but it does reveal who is doing business with whom, and it may also reveal volume. This is just tra

Re: [Anima] Roman Danyliw's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-10 Thread Michael Richardson
rg/doc/review-ietf-anima-bootstrapping-keyinfra-20-secdir-lc-huitema-2019-06-04/), > please respond to the last two issues – random number generation and the > missing assertion leaf. I had not seen this second review, thank you. I will read this on Thursday and post additional

Re: [Anima] Roman Danyliw's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-10 Thread Michael Richardson
. I suspect that the first draft will mostly be a list of things not to do. ("Doctor it hurts when I move my harm like this...") -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect

Re: [Anima] Roman Danyliw's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-10 Thread Michael Richardson
ong thread from concerned operators, this move towards a secure-onboarding-by-default scares people who are used to improvising things in an emergency. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___

Re: [Anima] Roman Danyliw's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-10 Thread Michael Richardson
arer without over-engineering this, remembering that this is a PS, not IS, and the proof will be in the running-code. Would you prefer to used CDDL or something like that to describe it? -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: P

Re: [Anima] Roman Danyliw's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-10 Thread Michael Richardson
Additional standard JSON fields in this POST MAY be added, see - . + . A server that + sees unknown fields should log them, but otherwise ignore them. -- Michael Richardson , Sandelman Software Works -= IPv

Re: [Anima] Éric Vyncke's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-07-10 Thread Michael Richardson
o so." > lower case for pledge and what is the purpose of the comma in this > sentence? we had a mania at some point that argued that Pledge was a proper noun. We recovered from it. I think that comma belongs; maybe it SHOULD be a semi-colon. I'm happy to let the copy-editor argue

[Anima] appendix C changes for draft-ietf-anima-constrained-voucher-04.txt

2019-07-04 Thread Michael Richardson
fix before monday and repost. I don't expect to make any other substantive changes other than a few grammar typos I noticed. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ An

  1   2   3   4   5   >